The 100 Security and Anti Annoyances Preferences Reconfiguration Script, version 0.6

This script applies to browsers and mail programs or other programs using the Gecko® rendering engine from the Mozilla® open source project. Applications built upon the Mozilla/Gecko code-base range over the widely acknowledged core products – particularly Firefox® and Thunderbird™ – and a lot of other applications more or less well-known.

MOZILLA and FIREFOX are registered trademarks of the Mozilla Foundation. THUNDERBIRD is a trademark of the Mozilla Foundation.

Reconfigure your Gecko application by a user.js file

The configuration of Gecko applications is to a great extent ruled by pref settings in the prefs.js file. That file is handled internally by the program. The settings therein are dependent on and will be over-ridden by user_pref settings in the user.js file. That file is not part of the program by default and must therefore be created by the admin or the end-user. Here is the place and now is the time to create this file ;-)

The user.js file itself is a simple ascii-text file and can be created and edited by use of any text editor. The Reconfiguration Script is used to fill the file with the necessary (re-)configuration commands: the at most 100 user_pref’si.e. preferences settings, which will give you as an admin or end-user power control over the browser and/or mail program.

What groups of preferences reconfigurations to include

100 settings to reconfigure a program?! Is it really necessary? Definitely not. Begin optimising by making a general selection among the user_pref’s available with this script.

Take care to not accidentally reload this page while working with it, since a reload would cause the adjusted form values to be reset to the default values.

¬ Automatic choice of user_pref’s depending on your current browser
¬ [1] Only include the application independent user_pref’s (suitable for older program suites like Netscape 7 and Mozilla 1.7).
¬ [2] Include the application independent user_pref’s and also those specific for the browser component (suitable for newer program suites like SeaMonkey).
¬ [3] Only include the application independent user_pref’s relevant for the browser component and also those specific for Firefox (for Fx, but also suitable for any browser based on it, e.g. Netscape 9).
¬ [4] Only include the application independent user_pref’s relevant for the email component and also those specific for Thunderbird (for TB, but also suitable for any mail client based on it).
¬ [5] Include all user_pref’s. Lets you trim each individual preference.

Which individual settings to include – Fine-tuning 1-100

So, depending on the radio button checked above, unnecessary settings are disabled in the list of all the available user_pref’s below. There you may decide to include or else exclude individual commands. Do remember that you by the use of this script will only choose which user_pref("[pref name]", [value]); to have effect in the user.js file! If a box is unchecked, the user_pref is not included and will have no effect on the preference, i.e. the old pref in the prefs.js file will still hold. You would need to edit the prefs.js to remove an unwanted preference.

SECURE IT — APPLICATION INDEPENDENT PREFERENCES

The preferences listed on a black background refers to any Gecko® product, old and new alike, while the ones listed on a red background are having effect only on recent products, particularly SeaMonkey™ 1.1+, Firefox® 1.5+ and Thunderbird™ 1.5+, and programs being derivative works upon those.
  The checked preferences in the black area are believed to be the best weighing of security/privacy and functionality. This collection of user_pref’s represents the default Reconfiguration Script’s user.js file generated by use of the appropriate button below the listing.
  The checked preferences in the red area are suggestions and you would probably like to have your say about those.

GENERAL CONCERNS

From a reading of comments over several years about Mozilla preferences, it seems that some would be in need of adjustments more than others. A great source of inspiration for the reconfigurations of security related preferences was the recommendations by NSA, a security body giving advice about network environments. Cp. its Guide to Securing Netscape 7.

NETWORK SECURITY AND PRIVACY CONCERNS

Most preferences are checked by default. They are important for security and privacy reasons, especially if you are using a somewhat older program. By checking more user_pref’s your program would be super secure, but lose some functionality.

LXR roots: The settings refered to in this section are found in the security-prefs.js, all.js, browser-prefs.js, thunderbird.js or firefox.js files in the source for the project’s 1.7 branch.

1 Validation

Use OCSP to validate only certificates that specify an OCSP service URL. Change the value to 2 only if you apply a particular signing certificate authority and URL to query for OCSP certificate verification/validation.

  1. user_pref("security.OCSP.enabled", );

2 Client certificate selection

Ask every time for the selection of a security certificate to present to web sites that require one.

  1. user_pref("security.default_personal_cert", "Ask Every Time");

3-11 Disable SSL2 and weak SSL3/TLS encryptions

Secure the Gecko 1.7 branch, where weaker encryptions are allowed. For more information, see bug 236933.

  1. user_pref("security.enable_ssl2", false);
  2. user_pref("security.ssl3.rsa_fips_des_sha", false);
  3. user_pref("security.ssl3.rsa_des_sha", false);
  4. user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
  5. user_pref("security.ssl3.rsa_1024_des_cbc_sha", false);
  6. user_pref("security.ssl3.rsa_rc4_40_md5", false);
  7. user_pref("security.ssl3.rsa_rc2_40_md5", false);
  8. user_pref("security.ssl3.dhe_rsa_des_sha", false);
  9. user_pref("security.ssl3.dhe_dss_des_sha", false);

12-16 Warning alert messages

Do not alert when loading a page that supports encryption, but warn in other cases. The dialogue will let you disable each warning until the next time you start the browser. The warning when submitting over an insecure connection is unchecked by default.

  1. user_pref("security.warn_entering_secure", false);
  2. user_pref("security.warn_entering_weak", true);
  3. user_pref("security.warn_leaving_secure", true);
  4. user_pref("security.warn_viewing_mixed", true);
  5. user_pref("security.warn_submit_insecure", true);

17 When starting a download

Show a download progress window, or by changing the value to 0, open the Download Manager.

  1. user_pref("browser.downloadmanager.behavior", );

18-21 Storing personal information and passwords

Do not save form data and use encryption when storing sensitive data. Checking the first setting would even disable the Password manager.

  1. user_pref("signon.rememberSignons", false);
  2. user_pref("wallet.captureForms", false);
  3. user_pref("wallet.crypto", true);
  4. user_pref("browser.formfill.enable", false);

22-23 Master password timeout

Ask for master password (if enabled) every 30 minutes by default. You could change the interval by entering any number of minutes in user_pref no 23.

Change the first setting’s value to 1 if the application should ask for the password every time it’s needed.

  1. user_pref("security.ask_for_password", );
  2. user_pref("security.password_lifetime", );

24 Disable Java

The preference for disabling Java is unchecked by default.

  1. user_pref("security.enable_java", false);

25-26 Cache settings

user_pref no 25 will disable all link prefetching, and no 26 disables caching altogether, but both are unchecked by default.

  1. user_pref("network.prefetch-next", false);
  2. user_pref("network.http.use-cache", false);

27-30 Cookies

Make sure cookies are disabled for mail and else allow cookies based on permissions per site. See bug 366611 about the removal of support for P3P settings.

The numbers available for user_pref no 28 mean:

0 Enable all cookies (default)
1 Allow cookies from originating server only
2 Disable all cookies

The numbers available for user_pref no 29 mean:

0 Accept cookies normally
1 Ask once for cookie per site (default — do combine it with user_pref no 30)
2 Accept for current session only
3 Accept for 90 days (or any number of days set in program preferences)
  1. user_pref("network.cookie.disableCookieForMailNews", true);
  2. user_pref("network.cookie.cookieBehavior", );
  3. user_pref("network.cookie.lifetimePolicy", );
  4. user_pref("network.cookie.alwaysAcceptSessionCookies", true);

31-32 Sending referer headers

Do not send referers. The referer settings are unchecked by default. With the first preference, change the value to 1 if rather than denying referers altogether, link clicks (but not images) should result in the sending of the referer. See bugs 1582 and 141641 for caveats about disabling sending of referer headers.

Checking user_pref no 32 would inhibit sending of HTTPS referers to other HTTPS sites.

  1. user_pref("network.http.sendRefererHeader", );
  2. user_pref("network.http.sendSecureXSiteReferrer", false);

33-43 JavaScript and popup windows restrictions

Do not allow javascript in mail. Scripts should not be able to hide or change the status bar or the context menu. Checking the first setting would disable javascript altogether.

  1. user_pref("javascript.enabled", false);
  2. user_pref("javascript.allow.mailnews", false);
  3. user_pref("dom.disable_window_status_change", true);
  4. user_pref("dom.event.contextmenu.enabled", false);

Popup windows (created by scripts) should not hide the status bar or the location bar, or have a fixed size or appearance. user_pref no 38 is unchecked by default.

  1. user_pref("dom.disable_window_open_feature.status", true);
  2. user_pref("dom.disable_window_open_feature.location", true);
  3. user_pref("dom.disable_window_open_feature.resizable", true);
  4. user_pref("dom.disable_window_open_feature.minimizable", true);

Block popup windows not created as a result of a mouse click. The value 2 of user_pref no 43 allows whitelisted sites to open popups. To disable popups for all sites, change the value to 3.

  1. user_pref("dom.disable_open_during_load", true);
  2. user_pref("dom.disable_open_click_delay", 1000);
  3. user_pref("privacy.popups.disable_from_plugins", );

ANTI ANNOYANCES MEASURES FOR THE BROWSER COMPONENT

All preferences (with the exception of user_pref no 48) are unchecked by default. They are of little or no consequence to security/privacy. By checking some, your browser would escape a few (very) annoying features.

LXR roots: The settings refered to in this section are found in the all.js file or in the browser-prefs.js and firefox.js files in the source for the project’s trunk.

44-46 Window tabs

Do not hide the tab bar when only one tab is open. The second setting will append a group of tabs instead of replacing the existing tabs.

  1. user_pref("browser.tabs.autoHide", false);
  2. user_pref("browser.tabs.loadGroup", 0);

Prevent tabs opened by other applications from receiving focus.

  1. user_pref("browser.tabs.loadDivertedInBackground", true);

47-48 Internet keywords

Enable Internet keywords and disable domain guessing. See a mozilla.org® document for information about the implementation of this feature.

By unchecking user_pref no 48 it will depend on the current settings of your program whether keywords should be enabled.

  1. user_pref("browser.fixup.alternate.enabled", false);
  2. user_pref("keyword.enabled", true);

49-50 Blinking and tipping off

Checking the first setting would disable tooltips and the second would put an end to blinking text.

  1. user_pref("browser.chrome.toolbar_tips", false);
  2. user_pref("browser.blink_allowed", false);

51 Disable inline spellchecking

Disable automatic inline spellchecking for text entry controls such as textarea in HTML.

  1. user_pref("layout.spellcheckDefault", 0);

ALL CONCERNS ABOUT THE EMAIL COMPONENT

The preferences concern mail management, addressbooks and newsgroups only. Note that some functionality are dependent on settings refered to elsewhere. Security and/or privacy related preferences are checked by default. By checking more user_pref’s your mail/news client would escape a few (very) annoying features.

LXR roots: The settings refered to in this section are found in the mailnews.js file in the source for the project’s mail & newsgroups component.

52-53 Privacy controls for handling remote content

Disable plug-ins for mail and do not display remote images in messages. Remote images might verify valid email addresses to spammers.

  1. user_pref("mailnews.message_display.allow.plugins", false);
  2. user_pref("mailnews.message_display.disable_remote_image", true);

54-57 Return receipts

Never send a return receipt if addressee is not in "To" or "Cc", and ask me in other cases. Checking the first setting would disable return receipts altogether.

The numbers available for user_pref no 56 and 57 mean:

0 Never send
1 Always send
2 Ask me
  1. user_pref("mail.mdn.report.enabled", false);
  2. user_pref("mail.mdn.report.not_in_to_cc", 0);
  3. user_pref("mail.mdn.report.outside_domain", );
  4. user_pref("mail.mdn.report.other", );

58-59 Collecting addresses

Add email addresses to the Collected addressbook (not to muddle the Personal addressbook). Checking the first setting would disable address collecting (for outgoing messages).

  1. user_pref("mail.collect_email_address_outgoing", false);
  2. user_pref("mail.collect_addressbook","moz-abmdbdirectory://history.mab");

60-61 Format=flowed prefs and RFC 2646

Read messages using old style wrapping. By checking the first preference composed messages would be prevented from being transmitted with format=flowed. See Format=Flowed Mini-FAQ about this feature. Both user_pref’s are unchecked by default.

  1. user_pref("mailnews.send_plaintext_flowed", false);
  2. user_pref("mailnews.display.disable_format_flowed_support", true);

62 Duplicat messages

Mark duplicat messages as read. See bug 9413 for information. This user_pref is unchecked by default. The alternative values (numbers) mean:

1 Delete dupes
2 Move Dupes to trash
3 Mark Dupes as Read
  1. user_pref("mail.server.default.dup_action", );

63-64 Mail list appearance

Do not remember the last selected message or auto-scroll to a new message. Both user_pref’s are unchecked by default.

  1. user_pref("mailnews.remember_selected_message", false);
  2. user_pref("mailnews.scroll_to_new_message", false);

65-66 Regular compacting of folders

Compact folders when it will save over a certain amount of kilobytes, by default 100 kB. Do change the number to any threshhold. Both user_pref’s are unchecked by default.

  1. user_pref("mail.prompt_purge_threshhold", true);
  2. user_pref("mail.purge_threshhold", );
OPTIMIZE IT — APPLICATION SPECIFIC PREFERENCES

The applications reconfigured with this section are secure in themselves. The preferences changes are here to smooth things a bit by getting rid of potential annoyances. Actually some reconfigurations may make the software less secure. Those user_pref’s are unchecked by default. Note that this entire section is not part of the default Reconfiguration Script’s user.js file.

DEAL WITH SEAMONKEY ANNOYANCES

LXR roots: SeaMonkey specific settings are found in the browser-prefs.js file in the source for the project.

67-71 Location bar behaviour

Turn off sudden location bar popups. By also checking user_pref no 69 autofilling of the address would be substituted for popups.

  1. user_pref("browser.urlbar.showPopup", false);
  2. user_pref("browser.urlbar.showSearch", false);
  3. user_pref("browser.urlbar.autoFill", true);

Do not select the text when clicking in the location bar (but select it by triple-click rather).

  1. user_pref("browser.urlbar.clickSelectsAll", false);
  2. user_pref("browser.urlbar.clickAtEndSelects", false);

72 The sidebar

Do not automatically open the search sidebar when doing a search.

  1. user_pref("browser.search.opensidebarsearchpanel", false);

73-75 When to open tabs

Open links from external programs, targeted links and unspecified window.open calls in tabs (instead of new windows).

  1. user_pref("browser.link.open_external", 3);
  2. user_pref("browser.link.open_newwindow", 3);
  3. user_pref("browser.link.open_newwindow.restriction", 2);

76-77 Tooltip previews and menu icons

Disable the tooltip preview of a tab’s contents. Cp bug 315207.

  1. user_pref("browser.tabs.tooltippreview.enable", false);

Load site icons/favicons when displaying bookmarks in menus, but only if they have already been cached. Changing the number to 2 would make the browser always load and show the icons in menus. This user_pref is unchecked by default.

  1. user_pref("browser.chrome.load_toolbar_icons", );

78 Window manipulation

Allow JavaSript to move and resize existing windows. This user_pref is unchecked by default.

  1. user_pref("dom.disable_window_move_resize", false);

DEAL WITH FIREFOX ® ANNOYANCES

LXR roots: Firefox specific settings are found in the firefox.js file in the source for the project.

79 Don’t ping

No spying – ignore the ping attribute.

  1. user_pref("browser.send_pings", false);

80 Do not restore the session after a crash

This user_pref for disabling the session restore utility after a crash is unchecked by default. See the issues list for the relevance of this preference.

  1. user_pref("browser.sessionstore.resume_from_crash", false);

81-82 Phishing protection

Firefox 2 incorporates the Google Safe Browsing extension to detect and warn users of phishy web sites. The default is to keep the protection activated, but you could turn it off by changing the first setting to false. user_pref no 82 makes a third-party provider being consulted to determine whether a site is phishy, but it it unchecked by default.

  1. user_pref("browser.safebrowsing.enabled", );
  2. user_pref("browser.safebrowsing.remoteLookups", true);

83-87 Controlling the tabs

All user_pref’s about tab control are unchecked by default, since their potential inclusions are actually a matter of opinion only.

Return to Fx 1.5 defaults. Only show the tab’s close button at the end of the tabstrip (user_pref no 83) and give focus to the adjacent tab on closing a tab (user_pref no 84).

  1. user_pref("browser.tabs.closeButtons", 3);
  2. user_pref("browser.tabs.selectOwnerOnClose", false);

Prevent tabs opened with an item from the bookmarks list from receiving focus.

  1. user_pref("browser.tabs.loadBookmarksInBackground", true);

Have search bar results always open in a new tab.

  1. user_pref("browser.search.openintab", true);

Append a group of tabs instead of replacing the existing tabs.

  1. user_pref("browser.tabs.loadFolderAndReplace", false);

88 Download directory

Choose every time where downloads get put.

  1. user_pref("browser.download.useDownloadDir", false);

89 Page reloading

Disable automatic reload of web pages by the HTML META refresh tag.

  1. user_pref("accessibility.blockautorefresh", true);

DEAL WITH THUNDERBIRD ANNOYANCES

LXR roots: Thunderbird specific settings are found in the all-thunderbird.js file in the source for the project.

90 Phishing detection for link clicks

The default is to keep phishing detection enabled, i.e. analyze url’s in mail messages for scams, but you could turn it off by changing the setting to false.

  1. user_pref("mail.phishing.detection.enabled", );

91 No preview text

Disable preview text in mail alerts and folder tooltips.

  1. user_pref("mail.showPreviewText", false);

MISCELLANEOUS

The remaining application independent preferences we need to deal with are diverse annoyances found here and there and they might or might not have an effect on your software. Only security related preferences are checked by default.

92-93 Automatic updates

The application should automatically check to see if there is an updated version of itself, but should prompt before downloading major releases. Changing the first setting to false would disable automatic updates.

  1. user_pref("app.update.auto", );
  2. user_pref("app.update.mode", 2);

94-97 Fonts

For readability on screen, fonts should not have serifs and font size should not be less than the pixels you state (for instance 10 px). These user_pref’s are unchecked by default.

  1. user_pref("font.default.x-unicode", "sans-serif");
  2. user_pref("font.default.x-western", "sans-serif");
  3. user_pref("font.minimum-size.x-unicode", );
  4. user_pref("font.minimum-size.x-western", );

98 Let Windows OS have memory if the application is minimized

Allow the application to release memory for the benefit of other programs. See bug 76831 for more information. This user_pref is unchecked by default.

  1. user_pref("config.trim_on_minimize", true);

99 Preferences window

Changes to preferences should even with Windows OS become active immediately. This user_pref is unchecked by default.

  1. user_pref("browser.preferences.instantApply", true);

100 Show the world

Add a note to the user agent string. Do observe that this user_pref is always included.

  1. user_pref("general.useragent.extra.user_js","reconfigured by user.js v0.6");

No. I'll reset everything and start all over:

Time to get the content to copy/paste


| | | | |

After generating the code, press the Select it button, copy the code and paste it into an empty file. Save the file as user.js to the same directory/folder as the prefs.js file. To locate prefs.js you would need to locate the profile folder on the disk. Guides for that purpose exist for Firefox users and Thunderbird users and there are also more general instructions.

Well, you’re done :-) Restart the browser or the email program and prefs.js will incorporate the new or changed settings from the user.js file, and the program adjusts itself accordingly.


© lars.pm <mailto:larspeemm@netscape.net>
top of page